My domain is: ezproxy.gc.cuny.edu
My web server is (include version): ezproxy
The operating system my web server runs on is (include version): [sklein@ldv2 ~]$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): returns uknown
I run a proxy server called EZproxy and the sys-admin that ran the servers left, so trying to understand the cert setup.
EZproxy is a webserver, analogous to Apache, but certs are created and managed within the application:https://help.oclc.org/Library_Management/EZproxy/Secure_your_EZproxy_server/010SSL_configuration
Furthermore, EZproxy is a SAML service provider so I need to send cert metadata to the IDP identity provider. See steps 5-6:
So my question is why does my SAML setup continue to work, although the IDP folks have metadata for the previous cert, the cert that existed before August?
I know this is convoluted and I appreciate your assistance.
If you can confirm that the cert in use is expired, then I can only think that the service using that cert is not checking the validity dates on the cert - it only uses it for encryption.
Which, if that is the case, you could easily use any cert for that purpose [even a self-signed cert].
Thank you. Pre-Let's Encrypt days, when we were using digi-cert it seemed like we needed to renew before expiration so assuming it it checking for validity dates.
Looking at your cert history (crt.sh | ezproxy.gc.cuny.edu), it seems like your LE cert was automatically renewing just fine every 2 months (which is the advice from LE), until now. It should have renewed around 2023-08-21, but didn't. Unless crt.sh has a backlog of almost 2 weeks
It's a web site [https://crt.sh/] operated by Sectico.
The site name is intended to be an abbreviation of "Certificate Search".
You can use it to search for certificates issued by any CA.
@Osiris meant that crt.sh can sometimes be delayed about showing certs. But, that 2 week delay is, um, unlikely.
However, I see your Aug21 cert using a different system (censys.io) so it looks like crt.sh is problematic. Especially since your web server is using this Aug21 cert we know it is valid.
There is more information in this forum topic on the various Certificate Transparency systems people here are using to try to look up what certificates exist for that domain, if that's helpful:
